in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

HIPAA Encryption: Getting Fined For A Data Breach VS. Fined For Nearly Killing Someone

I've come across a story that just invokes the type of terror you're supposed to experience at a horror movie.  According to syracuse.com, St. Joseph's Hospital Health Center nearly removed organs from a woman who was alive.  Scandalous, right?  I did another double-take when I saw how much "St. Joe's" got fined for the mishap: $6,000.  I mean, do you know how much HIPAA covered entities are fined for data breaches when they don't use laptop encryption?

Life Imitating Art

The syracuse.com article is quite captivating.  It begins like this:
Doctors at St. Joseph's Hospital Health Center were about to remove organs for transplant from a woman they thought was dead.

Then she opened her eyes. She was alive.
Thankfully, her organs remained untouched and in situ, but this was not enough to prevent the New York Department of Health from penalizing St. Joe's.  The hospital was fined $6,000 over the snafu, as well as an additional $16,000 for another medical mishap.

A number of mistakes were made, including this very egregious one:
Doctors ignored a nurse's observations indicating Burns [the woman whose organs were scheduled to be removed] was not dead and her condition was improving
Uh, does this remind anyone of Monty Python and the Holy Grail?  Anyone?  (The situation has a tragic turn: the woman committed suicide 16 months afterwards.  She suffered from depression, apparently.)

You wanna hear something even more horrifying?  Here you go:
The day before her organs were to be removed, a nurse had performed a reflex test on Burns, scraping a finger on the bottom of her foot. The toes curled downward - not the expected reaction of someone who's supposed to be dead.

There were other indications that Burns had not suffered irreversible brain damage, as doctors had determined. Her nostrils flared in the prep area outside the OR. She seemed to be breathing independently from the respirator she was attached to. Her lips and tongue moved.

Twenty minutes after those observations were made, a nurse gave Burns an injection of the sedative Ativan, according to records.

In the doctors' notes, there's no mention of the sedative or any indication they were aware of her improving condition.

None of those signs stopped the organ-harvesting process. It wasn't until Burns was wheeled into the OR on Oct. 20, 2009, opened her eyes and looked at the lights above her that doctors called it off.
Of course, you're supposed to hear both sides of the story.  Well, medical experts went over it and found it equally horrifying.

As I mentioned before, the hospital got fined $6,000 for the accident.  An accident that would have seen the certain death of a person had it not been for her opening her eyes.  That's what stopped the operation.  Remember, all other signs that she was alive were ignored.

Unreal.  At least this shows us the federal government is pretty serious about stopping data breaches.

HIPAA Civil Penalties: Minimum Ranges from $100 to $50,000 Per Violation

Compare the above to the civil penalties a HIPAA covered entity faces for data breaches.  There are four general violation categories that come with their own maximum and minimum penalties.  The American Medical Association has a neat chart, but the minimum penalties are basically:
  • Individual did not and could not have known it was a HIPAA violation: $100 per violation
  • Violation is not due to willful neglect: $1,000 per violation
  • Violation is due to willful neglect but corrected: $10,000 per violation
  • Violation is due to willful neglect and not corrected: $50,000 per violation

Considering that most HIPAA data breaches involving electronic data tend to affect hundreds of people at a time (at least), one could easily face more in fines for losing a USB stick than for nearly harvesting a person's organs.

It's safe to say that hospitals, clinics, and other HIPAA covered entities (including business associates!) need to start using encryption software to protect their patients' data, including those that might be found on BYOD devices like smartphones and tablets.

As case histories go, the implication is that losing patient data is potentially more horrible than nearly killing a person on the operating bed.

Related Articles and Sites:
http://www.syracuse.com/news/index.ssf/2013/07/st_joes_fined_over_dead_patien.html
http://www.ama-assn.org//ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page
 
<Previous Next>

Data Breach Study: Human Error Still Accounts for 35% Of Breaches

HIPAA Encryption Software: BA Causes 188K HIPAA Breach In Indiana

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.